Why Use UNC Paths Instead of Windows Mapped Network Drives

When a user logs on to a Microsoft Windows machine that uses Windows User Account Control (UAC), the log on session actually creates 2 access tokens. Even though the user name is assigned to an Administrators Group it seems sometimes the Administrator rights are not available.

Windows has a proces called Local Security Authority Subsystem Service (LSASS). When a user logs on the (LSASS) creates 2 different access tokens behind the scenes...from a single user log on to Windows.

What problems can occur when a user logs on and should have both Standard user rights and Administrator rights? We know that to gain Administrator rights, when running an application that requires it, we can click [Yes] when the "User Account Control" dialog pops up. Under other situations we do not see the UAC pop-up. Some of these conditions occur when the user opens Windows File Explorer (Explorer) or a Command window and does not select 'Run As Administrator'. Below are some of the actions that can be done by a user admin without requiring elevated privileges (using UAC).

  • create a network share
  • create a network drive
  • substituting a drive letter for a network or local path, using the SUBST command

Standard User Rights - For example, when Explorer is opened to create a mapped drive, the mapped drive is being created under your standard user token (to simplify this topic, let's call the token 'token Standard'). In this case, any application that runs and requires elevation via UAC will be unable to see the mapped drives created by 'token Standard'.

Administrator Rights (elevated) - If you were to select 'Run As Administrator' to open Explorer then the user credentials run under the other token (let's call that 'token Admin'). In this case, any application that runs and requires elevation via UAC will be able to see the mapped drives created by 'token Admin', but will not be able to see any mapped drives created by 'token Standard'.

Therefore, when assigning network shares, or mapped drive letters, or using the SUBST command to substitute a drive letter for a network or local path,  the program you open to do any of these assignments will create the assignment under either 'token Standard' or 'token Admin' (using simple names mentioned above).

Suggestions when using these double tokens from a single log on:

  1. If you want the assignment to be seen by an elevated application, then create the assignments in an application that is elevated.

  2. If you want the assignment to be seen by a standard user program, say in Explorer, then create the assignments in an application that is not elevated.

  3. If you want the assignment to be seen by both elevated applications AND non-elevated programs, then create the assignments in an application that is elevated 'Run As Administrator', and also create the same assignments in an application that is not elevated not 'Run As Administrator'.


Mapped drive letters vs. UNC paths
I suggest using UNC paths  \\computer\share\folder\...  instead of mapped drive letters when referencing a network path.

Reasons:

  1. A backup program like Double Image (or other applications that require elevated privileges) can be run when no users are logged on, via the Windows Task Scheduler. If a scheduled task has been implemented to run when no users are logged on, the task would have to run elevated under the Windows 'System' account. This means the application can run without a user being logged on.

    So what's the problem? The problem is since the user is not logged on, mapped drive letters are not available to the running application by Windows--hence a backup program will not have access to a user's mapped drive selections. Access to UNC paths will always be available to reference.

  2. As a user admin you don't need to be concerned or need to remember if you have mapped the drives as elevated or not elevated for subsequent applications to run.

  3. When moving the parameter settings of an application to another machine, the admin does not need to remember take an additional step to create mapped network drive letters because UNC network paths will remain the same without requiring parameter changes.